From 2effc7e15fb4b6203d5479a215dfb246d8f52826 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 22 Feb 2021 01:46:44 +0100
Subject: [PATCH] issue: secure against external form submissions

Ignore api requests (preview from (failed) login),
and require subject field to be sure.

Fixes empty issues after failed logins.
---
 issue/index.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/issue/index.php b/issue/index.php
index 8b42d11..704a405 100644
--- a/issue/index.php
+++ b/issue/index.php
@@ -42,8 +42,12 @@ if ($id and ctype_digit($id)) {
 	return;
 }
 
-if ($_POST) {
+if ($Page->api) return;
+if ($_POST and isset($_POST['subject'])) {
 		require_once 'upload.inc.php';
+		if (strlen($_POST['subject']) < 2) {
+			throw new Exception('Een minimaal onderwerp is verplicht om een issue aan te maken.');
+		}
 		$query = $Db->set('issues', [
 			'page'    => $Page->handler,
 			'subject' => $_POST['subject'],
@@ -55,7 +59,6 @@ if ($_POST) {
 		}
 		$_POST = [];
 }
-if ($Page->api) return;
 
 $subsql = "SELECT count(*) FROM comments WHERE page=i.page||'/'||i.id";
 $cols = "*, ($subsql AND message IS NOT NULL) AS replycount";
-- 
2.30.0